How Worried Should You Be About Your Printer Security?

As the devices become more sophisticated, vulnerabilities increase.

In general, printing is a sufficiently miserable process even without trying to impose extra restrictions on when it will and won’t work in the name of security.

ImpaKPro/Thinkstock

When I was in graduate school, studying how institutions made decisions about their information security policies, I interviewed an IT worker who told me about a health clinic he had worked for. The clinic had hired a security consultant to come in and make sure all their systems for medical data were compliant with the Health Insurance Portability and Accountability Act by setting up standard security measures—encryption, access controls, a firewall. But then one day the printers in the clinic stopped working. So they brought in another consultant to fix the printers—and several months later discovered that he had fixed them by shutting off the clinic’s firewall.

If you’ve ever wrestled with a temperamental printer (and you probably have), you’ll recognize the impulse—the willingness to sacrifice anything from your network security to your firstborn child for a printer that will simply work. Printers are a uniquely irritating technology: They’re liable to fail you in the moments you most need them and to remind you how woefully dependent your high-tech, eco-friendly, digitized life still is on little pieces of paper.

Advertisement

But there are worse things than printers refusing to print, as several universities discovered in March when racist, anti-Semitic, and anti-gay fliers appeared in the printers of college campuses across the country, including Princeton, Brown, UC–Berkeley, Smith, Mount Holyoke, the University of Massachusetts, Amherst, the University of New Hampshire, the University of Maine, and the University of Maryland. Hacker Andrew Auernheimer, or Weev, claimed responsibility for sending some of the fliers, though he told the New York Times that he had not specifically targeted colleges but instead sent the fliers to every publicly accessible printer in North America.

Auernheimer’s claim raises the interesting question of how many publicly accessible printers, or printers that will accept print jobs from any machine on the Internet, are out there—and why we’re not better about locking down their security. It should come as no surprise that lots of printers have no restrictions on who can print to them, especially in places like college campuses where thousands of people share the devices, and visitors and newcomers may require access. In general, printing is a sufficiently miserable process even without trying to impose extra restrictions on when it will and won’t work in the name of security. That may help explain why, in 2013, there were more than 86,000 publicly available HP printers indexed by Google.

Get Future Tense in your inbox.

But how big a deal is it, really, if anyone can send things to your printer? It may be startling or offensive, depending on the content, and it may waste paper, ink, and other printer resources, depending on the volume, but it’s unlikely to pose any more serious threat than that. However, there may be greater cause for concern if other people can access the documents that you’re printing. That’s why when printing something sensitive you want to be sure that any wireless network you’re using to connect to a printer is encrypted. Similar risks also apply to the scanning and copying functions on multifunction printers (those that can, say, fax and scan in addition to printing) if those machines save digital copies of the documents they process. In fact, the security of copy machines has been the focus of its own investigations and recommendations from the Federal Trade Commission.

Many of the universities targeted by Auernheimer’s fliers now are taking steps to restrict their printers to credentialed on-campus users, which is eminently sensible, as are precautions to encrypt network traffic and regularly delete any copies of documents stored on shared multifunction printers. And it’s worth keeping in mind that the printers you share with your classmates or colleagues are fundamentally public machines and that the security risks they present are not limited merely to the digital realm.

Even after you’ve successfully printed something to a communal printer, and even if the use of that printer is confined to a specific group of people, you can still end up in uncomfortable situations when someone else stumbles across your résumé or tax return sitting in the paper tray before you pick it up. Some organizations even require people to specifically “release” each printing job at the printer itself to reduce the chances of that happening (or at least reduce the amount of time pages are left lying on the printer). Another approach is to print a blank “cover page” at the beginning of each new printing job with the username of the person who printed it so that other people are less likely to accidentally glimpse any content (of course, this is unlikely to dissuade the really determined snoops).

We’re all perhaps a little too liable to forget how public our printers often are and how careful we need to be around them. When I worked on my college newspaper, an editor came into the newsroom one day with several pages she had found in a computer cluster printer outlining what appeared to be a campaign strategy for one of the candidates running for president of the student government. The document listed several different student groups and sports teams with designated point people in each who were supposed to drum up support for the candidate among the other members (chess club, math club, pingpong club, juggling club, taekwondo, and ballroom dancing were all written off as “weirdo groups” that the other candidate would win). It was a document that gave new meaning to the environmentalist’s email signature admonition to “Think before you print.”

Josephine Wolff is an assistant professor of public policy and computing security at Rochester Institute of Technology and a faculty associate at the Harvard Berkman Center for Internet and Society. Follow her on Twitter.